Web Server Security Model

Secure applications require a client to be authenticated as a valid
application user and have authorization to access servlets and JSPs.

Applications with a secure web container may enforce the following security
processes for clients:

Authenticate the caller

Authorize the caller for access to each servlet/JSP based
on the applicable access control configuration

Authentication
is the process of confirming an identity. Authorization means granting access to a restricted resource to
an identity. Access control mechanisms enforce these restrictions. Authentication
and authorization can be enforced by a number of security models and services.

Web Server provides authentication and authorization support through
the following mechanisms, which are discussed in this section:

ACL-based authentication and authorization

Java EE/Servlet-based authentication and authorization

Whether performed by the ACL subsystem or the Java EE/Servlet authentication
subsystem, authentication and authorization are still the two fundamental
operations that define secure web content.

Web Server supports authentication and authorization through the use
of locally stored ACLs, which describe what access rights a user has for a
resource. For example, an entry in an ACL can grant a user named John read permission to a particular folder named misc:

For more information about ACL-based access control and the use of external
crypto hardware, see the Web Server Administrator’s Guide.

Java EE/Servlet-Based Authentication and Authorization

, In addition to providing ACL-based authentication, Web Server also
implements the security model defined in the Java EE 1.4 specification to
provide several features that help you develop and deploy secure Java web
applications.

A typical Java EE-based web application consists of the following parts,
access to any or all of which can be restricted:

Servlets

JavaServer Pages (JSP) components

HTML documents

Miscellaneous resources, such as image files and compressed
archives

The Java EE servlet-based access control infrastructure relies on the
use of security realms. When a user tries to access the main page of an application
through a web browser, the web container prompts for the user's credential
information. The container then passes the information for verification to
the realm that is currently active in the security service.

A realm, represents a set of known users along with optional group membership
information. The main implementation also encapsulates a mechanism for performing
authentication against the data set.

The main features of the Java EE/Servlet-based access control model
are described below:

Authentication is performed by Java security realms that are configured
through <auth-realm> entries in the server.xml file.

Authorization is performed by access control rules in the
deployment descriptor file, web.xml, in case any such rules
have been set.

Web Application and URL Authorizations

Secure web applications may have authentication and authorization properties.
The web container supports three types of authentication: basic, certificate,
and form-based. The core ACLs support basic, certificate, and digest. For
more information about ACL configuration, see the Sun Java System Web Server 7.0 Update 3 Administrator’s Guide.

When a browser requests an application URL that requires authentication,
the web container collects the user authentication information, for example,
user name and password and passes it to the security service for authentication.

For Java EE web applications, Web Server checks the application's web.xml file for information on which parts of the application are protected,
and which roles are authorized to access. It also checks sun-web.xml to
see whether the currently authenticated user belongs to one of the required
roles, either directly through user mapping or indirectly through group mapping.